[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

To: tor-dev@xxxxxxxxxxxxxxxxxxxx, Peter Schwabe <peter@xxxxxxxxxxxxxx>
Subject: Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
From: Zhenfei Zhang <zzhang@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 9 May 2016 14:04:27 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 09 May 2016 14:05:08 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=MYfGKA9fG5C5cfdpmfHG+K+qQF8GL5Cl0lEaylkEyQk=; b=f6L1pGQsr4iS+CdcNwlUW3SBGS1XnpaSlzGR5hauJWRZdNZJ2zMnR4tVPCvl3MHUHV YDZEkZRB0RoTE9t2+cQDifkJmCh6iQuMZh80JD3+LoFVzo594uHO85Tf8xnNbp65XMEW 2G3hQJUGkL2B4hrrJJynhmQuKwAjnMQy/kUFM=
In-reply-to: <20160509160719.GP1741@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <bb6818dd50413b9bbdce5c6e0f782f9f.webmail@localhost> <20160508152000.GL1741@xxxxxxxxxxxxxxxxxxxxx> <568167a5d52a787f6732777e9d09d20d.webmail@localhost> <20160509160719.GP1741@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi all,

If I understand it properly, in the proposal the client need to send the whole

matrix A during the first initiation message. I draw this conclusion from the

datagram:

 | a, A         := NEWHOPE_KEYGEN(SEED)                                                 |
 | CLIENT_HDATA := ID || Z || X || A                                                    |
 |                                                                                      |
 |               --- CLIENT_HDATA --->

May I ask why? Is it because the keypair generation is modularized, and
hence a and A are connected from a protocol point of view? However, in the

original construction of new hope, or other R-LWE based schemes, a and A

are sampled independently, giving out the seed of A will not leak information

on a. So how about the following:

 | A            := NEWHOPE_PK_KEYGEN(SEED1)                                             |
Â| a            := NEWHOPE_SK_KEYGEN(SEED2)                                             |
Â| CLIENT_HDATA := ID || Z || X || SEED1                                                |
 |                                                                                      |
 |               --- CLIENT_HDATA --->

This will save significant data for the first transmission: over 1 KB of A

compared to 32 bits of SEED1. The server will be able to recover A from

NEWHOPE_PK_KEYGEN which will be a public function.

Cheers,

Zhenfei

On Mon, May 9, 2016 at 12:07 PM, isis <isis@xxxxxxxxxxxxxx> wrote:

eikovi@xxxxxxxxxxx transcribed 0.6K bytes:
> isis wrote:
> > eikovi@xxxxxxxxxxx transcribed 1.1K bytes:
> >> Typos:
> >
> > Thanks!Â Fixed:
> >
> > https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&id=5c115905
>
> You skipped 2:
>
> -Â public keys already being in included within the "ntor-onion-key" entry.
> +Â public keys already being included within the "ntor-onion-key" entry.
>
> -Â [0]; a pseudocode description of a very naive inplace transformation of an
> +Â [0]; a pseudocode description of a very naive in-place transformation of an

Oops!Â Thanks again.Â Peter fixed those in this commit:
https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&id=28181cc7

--
Âââ isis agora lovecruft
_________________________________________________________
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://fyb.patternsinthevoid.net/isis.txt

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: Zhenfei Zhang

References:
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: eikovi
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: isis
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: eikovi
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: isis

Prev by Author: Re: [tor-dev] exitmap modules that make *lots* of connections
Next by Author: Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Previous by thread: Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Next by thread: Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Index(es):
- Author
- Thread